reviewer system integ.pdf
Document Details
Uploaded by Deleted User
Tags
Full Transcript
API Lifecycle Management and Development - Involves defining the operational, business, Process and security requirements for a single API or group of APIs....
API Lifecycle Management and Development - Involves defining the operational, business, Process and security requirements for a single API or group of APIs. 1. System Integration 10. Stage 2- Design - The process of creating a complex information system that may include - Involves making intentional decisions about designing or building a customized how an API will expose data to consumers architecture or application, integrating it with and capturing these decisions in an API new or existing hardware, packaged and definition. custom software, and communications. 11. Stage 3- Develop 2. Architecture - Tasks developers with writing code that - The organization of a system, including all implements the API's intended functionality, components, how they interact with each using version control and repositories to other, the environment in which they operate, manage changes. and the principles used to design the 12. Stage 4- Test software. - Involves confirming that an API is working as 3. Application Program Interfaces expected through manual or automated - Interfaces that allow different software testing, including different types of tests like applications to communicate with each other. contract and performance tests. 4. JSON 13. Stage 5- Secure - is a standard text-based format for - Involves checking an API for common representing structured data based on security vulnerabilities to ensure the JavaScript object syntax, commonly used for application's overall security posture. transmitting data in web applications. 14. Stage 6- Deploy 5. Extensible Markup Language (XML) - Refers to the process of publishing APIs to - Let you define and store data in a shareable development, staging, and production manner. environments using CI/CD pipelines and API gateways. 6. API First approach 15. Stage 7- Observe - Prioritizes APIs at the beginning of the software development process, positioning - Involves collecting, visualizing, and alerting APIs as the building blocks of software. on API telemetry data in production to surface errors, latency, and security 7. API Lifecycle vulnerabilities. - The series of steps that teams must take to 16. Stage 8- Distribute successfully design, develop, deploy, and consume APIs. - Focuses on improving an API's discoverability through API catalogs, both 8. Benefits of API Lifecycle Management public and private, to support third-party - Increased productivity, greater visibility, and consumers and internal teams. organizational alignment within an 17. XAMPP organization. - A free and open-source cross-platform web 9. Stage 1- Define server solution stack package. 18. Notepad++ Understanding API Security and JSON Web Tokens - A text editor and source code editor for use with Microsoft Windows. 1. API Security 19. SQLyOG Community - Process of safeguarding APIs from attacks due to their access to sensitive functions and - A database management tool for MySQL. data. 20. Thunder Client-VSCode Plugin 2. REST - A Visual Studio Code plugin for API testing - Simpler API approach using HTTP/S, often and debugging. with JSON for data transfer. 21. Slim Framework 3. JSON Web Token (JWT) - A PHP micro-framework that helps you - Open standard for secure data transmission quickly write simple yet powerful web between parties in JSON format. applications and APIs. 4. Authorization 22. Composer - Common use of JWT where users access - A tool for dependency management in PHP, permitted routes and resources. allowing you to declare the libraries your project depends on and it will manage 5. Information Exchange (install/update) them for you. - Securely transmitting data between parties 23. Jsend using signed JWTs. o Single-Sign On – feature that widely - A specification that lays down some rules for uses JWT nowadays. Small how JSON responses from web servers overhead and its ability to be easily should be formatted. used across different domain. 24. Endpoint Structure of JWT - contact between an API client and server. 6. Header 25. HTTP Method - Part of JWT specifying signing algorithm and - are used to indicate the action an API client token type. would like to. 7. Payload POST – retrieve data from a server - Contains claims or JSON object in a JWT. GET – send data to the server to create new 8. Signature resource. - Unique hash created with secret key to verify PUT – update or replace an existing resource JWT integrity. DELETE – remove a resource from the server - Generated via cryptographic algorithm. PATCH – only update data Header Component 9. HS256 - Symmetric algorithm using one secret key for JWT signing and verification. 10. RS256 - Asymmetric algorithm using private key for - Ability of JWTs to carry additional user data, JWT signing and public key for verification. reducing API calls. Payload Component 22. Performance 11. Issuer (iss) - Enhanced application speed by minimizing database lookups. - Claim in JWT indicating the entity issuing the token. 23. Mobile-Friendly 12. Subject (sub) - Suitable for offline-first apps, improving mobile user experiences. - Claim in JWT identifying the subject of the token. Consideration in using JWT 13. Audience (aud) 24. Token Size - Claim in JWT specifying the intended - Keeping JWT payloads under 4kb to avoid audience for the token. performance issues. 14. Expiration time (exp) 25. Token Management - Claim in JWT defining the token's expiry - Challenges in revoking tokens before time. expiration in stateless JWTs. 15. Not before (nbf) 26. Weak Signature Algorithms - Claim in JWT indicating the earliest time the - Risks associated with using weak signature token can be used. algorithms in JWTs. 16. Issued at (iat) 27. XSS Attacks - Claim in JWT specifying the token's issuance - Security threat when storing JWTs in time. localStorage instead of HttpOnly cookies. 17. JWT ID (jti) 28. Token Replay - Claim in JWT providing a unique identifier for - Mitigating risks by using short expiration the token. times and token rotation. Benefits of using JWT Tokens 29. Insufficient Validation 18. Stateless Authentication - Importance of validating token signature and claims on the server side. - Authentication without server session storage, enhancing scalability. 30. Token Expiration and Refresh 19. Compact and Self-Contained - Balancing security and user experience by setting appropriate token lifetimes. - All necessary info in token, reducing database queries. 31. Security Best Practices 20. Cross-Domain / CORS Friendly - Using HTTPS, avoiding sensitive data in JWT payload, and secure token storage. - JWTs facilitate single sign-on across distributed systems. 32. Storage on the Client Side 21. Flexibility - Considerations for secure token storage, avoiding vulnerabilities like XSS attacks.